ESB-2026.3823

=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2026.3823 Security update for sqlite3 17 April 2026 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: sqlite3 Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2025-70873 CVE-2025-7709 Original Bulletin: https://www.suse.com/support/update/announcement/2026/suse-su-202621095-1 Comment: CVSS (Max): 5.4 CVE-2025-7709 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L EPSS (Max): 0.1% (16th) CVE-2025-7709 2026-04-15 - --------------------------BEGIN INCLUDED TEXT-------------------- Security update for sqlite3 Announcement ID: SUSE-SU-2026:21095-1 Release Date: 2026-04-10T19:09:48Z Rating: moderate o bsc#1248586 o bsc#1252217 References: o bsc#1254670 o bsc#1259619 o CVE-2025-70873 Cross-References: o CVE-2025-7709 o CVE-2025-70873 ( SUSE ): 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N /UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N o CVE-2025-70873 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R /S:U/C:L/I:N/A:N o CVE-2025-70873 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/ S:U/C:H/I:N/A:N o CVE-2025-7709 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/ UI:A/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/ CVSS scores: MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/ MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X o CVE-2025-7709 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/ S:U/C:N/I:L/A:L o CVE-2025-7709 ( NVD ): 6.9 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/ UI:A/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/ MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/ MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Affected o SUSE Linux Micro 6.2 Products: An update that solves two vulnerabilities and has two fixes can now be installed. Description: This update for sqlite3 fixes the following issues: Update sqlite3 to version 3.51.3: Security issues: o CVE-2025-7709: Integer Overflow in FTS5 Extension (bsc#1254670). o CVE-2025-70873: SQLite zipfile extension may disclose uninitialized heap memory during inflation (bsc#1259619). Non security issue: o sqlite3 won't build when using --with icu (bsc#1248586). Changelog: Update to version 3.51.3: * Fix the WAL-reset database corruption bug: https:// sqlite.org/wal.html#walresetbug * Other minor bug fixes. Update to version 3.51.2: o Fix an obscure deadlock in the new broken-posix-lock detection logic. o Fix multiple problems in the EXISTS-to-JOIN optimization. Update to version 3.51.1: * Fix incorrect results from nested EXISTS queries caused by the optimization in item 6b in the 3.51.0 release. * Fix a latent bug in fts5vocab virtual table, exposed by new optimizations in the 3.51.0 release Update to version 3.51.0: * New macros in sqlite3.h: - SQLITE_SCM_BRANCH -> the name of the branch from which the source code is taken. - SQLITE_SCM_TAGS -> space-separated list of tags on the source code check-in. - SQLITE_SCM_DATETIME -> ISO-8601 date and time of the source * Two new JSON functions, jsonb_each() and jsonb_tree() work the same as the existing json_each() and json_tree() functions except that they return JSONB for the "value" column when the "type" is 'array' or 'object'. * The carray and percentile extensions are now built into the amalgamation, though they are disabled by default and must be activated at compile-time using the -DSQLITE_ENABLE_CARRAY and/or -DSQLITE_ENABLE_PERCENTILE options, respectively. * Enhancements to TCL Interface: - Add the -asdict flag to the eval command to have it set the row data as a dict instead of an array. - User-defined functions may now break to return an SQL NULL. * CLI enhancements: - Increase the precision of ".timer" to microseconds. - Enhance the "box" and "column" formatting modes to deal with double-wide characters. - The ".imposter" command provides read-only imposter tables that work with VACUUM and do not require the --unsafe-testing option. - Add the --ifexists option to the CLI command-line option and to the .open command. - Limit columns widths set by the ".width" command to 30,000 or less, as there is not good reason to have wider columns, but supporting wider columns provides opportunity to malefactors. * Performance enhancements: - Use fewer CPU cycles to commit a read transaction. - Early detection of joins that return no rows due to one or more of the tables containing no rows. - Avoid evaluation of scalar subqueries if the result of the subquery does not change the result of the overall expression. - Faster window function queries when using "BETWEEN :x FOLLOWING AND :y FOLLOWING" with a large :y. * Add the PRAGMA wal_checkpoint =NOOP; command and the SQLITE_CHECKPOINT_NOOP argument for sqlite3_wal_checkpoint_v2(). * Add the sqlite3_set_errmsg() API for use by extensions. * Add the sqlite3_db_status64() API, which works just like the existing sqlite3_db_status() API except that it returns 64-bit results. * Add the SQLITE_DBSTATUS_TEMPBUF_SPILL option to the sqlite3_db_status() and sqlite3_db_status64() interfaces. * In the session extension add the sqlite3changeset_apply_v3() interface. * For the built-in printf() and the format() SQL function, omit the leading '-' from negative floating point numbers if the '+' flag is omitted and the "#" flag is present and all displayed digits are '0'. Use '%#f' or similar to avoid outputs like '-0.00' and instead show just '0.00'. * Improved error messages generated by FTS5. * Enforce STRICT typing on computed columns. * Improved support for VxWorks * JavaScript/WASM now supports 64-bit WASM. The canonical builds continue to be 32-bit but creating one's own 64-bit build is now as simple as running "make". * Improved resistance to database corruption caused by an application breaking Posix advisory locks using close(). Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Micro 6.2 zypper in -t patch SUSE-SL-Micro-6.2-529=1 Package List: o SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64) sqlite3-debugsource-3.51.3-160000.1.1 sqlite3-debuginfo-3.51.3-160000.1.1 libsqlite3-0-debuginfo-3.51.3-160000.1.1 libsqlite3-0-3.51.3-160000.1.1 References: o https://www.suse.com/security/cve/CVE-2025-70873.html o https://www.suse.com/security/cve/CVE-2025-7709.html o https://bugzilla.suse.com/show_bug.cgi?id=1248586 o https://bugzilla.suse.com/show_bug.cgi?id=1252217 o https://bugzilla.suse.com/show_bug.cgi?id=1254670 o https://bugzilla.suse.com/show_bug.cgi?id=1259619 - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://portal.auscert.org.au/bulletins/ =========================================================================== AUSCERT The University of Queensland, Brisbane QLD 4072 Australia e: auscert@auscert.org.au t: +61 (0)7 3365 4417 Allies in Cyber Security ===========================================================================